APTUS HEALTH’S APPROACH TO GDPR PREPAREDNESS

Online data has the potential to offer great value to consumers; it also requires careful management to ensure its protection from unauthorized use. By creating the General Data Protection Regulation (GDPR), the EU has made a bold new commitment to maintaining privacy on user’s personal data, especially in the face of advancements in technology and globalization.

As a global digital marketing organization focused on deliveringhigh-value content to healthcare professionals, Aptus Health has always striven to be as transparent as possible with our user community. This philosophy has helped us build trusted relationships with our audience. Our efforts to comply with the GDPR underscores our commitment to ensuring data protection and thus, greater value to the people we serve.

Read on to learn how Aptus Health has addressed the new Regulation and is prepared for its enforcement.

WHAT IS GDPR?

The EU General Data Protection Regulation (“GDPR”) comes into force on 25th May 2018 and brings with it the most significant changes to data protection law in decades. GDPR builds on the 1995 Data Protection Directive and modernizes data regulation to reflect technical evolutions over the past 25 years and how businesses use and collect data today.

Whilst the Directive was implemented in each state of the European Union, GDPR will apply directly in all EU states, driving consistency and harmonization across the EU. GDPR provides new and stringent safeguards for personal data. Designed to strengthen individuals’ rights and create better transparency and control, it will ensure data subjects are better informed and have greater control over their personal data. It also requires new controls to protect against data breaches, and to ensure that companies build strong data privacy and security into every aspect of their business, workplace, and products.

WHAT IS APTUS HEALTH’S APPROACH TO DATA PROTECTION?

Aptus Health believes that the privacy, security, accuracy, and integrity of personal data is a fundamental right and has always made privacy and data protection a central part of our business. We embrace the principles of GDPR and recognize that the regulation will continue to drive us towards the highest standards in protecting data.

At Aptus Health, we already deploy a comprehensive and effective data protection program. However, we recognise our responsibility to update and expand our program and have taken necessary steps to meet the demands of the GDPR. For more than a year, we have undertaken an extensive GDPR compliance program, not only because the regulation requires it, but because building GDPR safeguards into everything we do is a key part of our commitment to our customers, network of healthcare professionals, and consumers. Privacy by default and design has always been part of our corporate DNA.

Third-party tools and marketing technology providers (i.e., marketing automation platforms, CRMs, etc.) are integrated into our operations and data ecosystem. Therefore, in addition to our own preparation, we have taken measures to confirm that our partners share our commitment to GDPR compliance.

HOW HAVE WE PREPARED TO MEET THE REQUIREMENTS OF GDPR?

Prior to GDPR, Aptus Health already had robust programs in place addressing the importance of privacy, data protection, and security across our organization. We have subsequently implemented strong new and/or updated existing privacy and data protection programs and processes to ensure that we are ready to meet GDPR requirements.

Our preparation includes the following:

  • Employee Awareness and Training: It is vital that Aptus Health foster continuous employee awareness and understanding to be compliant with GDPR requirements. All of our employees— including those who work outside the EU—have been involved in preparation for GDPR and have completed mandatory general awareness training, reviewed and signed off on the GDPR policies.
  • Records of Processing: We have created a Processing Register and Data Inventory to identify which of our business processes use personal information, why the personal data is being processed, if and to whom it is disclosed, what the lawful basis of processing is, and where it is stored and transferred. We plan to continuously update these records and maintain them foraccountability purposes.
  • Policies & Procedures: We have implemented new and revised existing privacy and data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including the following GDPR policies:
    • Compliance Overview Policy
    • Roles and Responsibilities Policy
    • Lawfulness of Processing Policy
    • Rights of the Data Subject Policy
    • Data Subject Rights Information Notices Policy
    • Records of Processing Policy
    • Security of Processing Policy
    • Data Protection by Design/Default Policy
    • Cross Border Transfer Policy
    • Data Breach Policy
    • Sanctions, Penalties, and Fines Policy
  • Governance Policy Procedures/Plans
    • GDPR Privacy/Security Incident Management Plan/Data Breach Procedures: We have updated our existing privacy and security incident management procedures, including adding GDPR breach requirements to help ensure we are able to meet deadlines for reporting data breaches.
    • International Data Transfers & Third-Party Disclosures: Where Aptus Health stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt, and maintain the integrity of the data. Our procedures include a continual review of the countries with sufficient adequacy decisions, as well as provisions for standard data protection clauses for those countries considered not to have sufficient privacy protections in place. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
    • Data Subject Access Request (DSAR): We have revised our procedures to accommodate the revised 30-day timeframe for providing requested information. Our new procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply, and response templates to ensure that communications with data subjects are compliant, consistent, and adequate.
    • Other Data Subject Rights Processes: We have created new and/or updated existing procedures and technical controls to address expanding and/or changing data subject rights such as data portability, data subject restriction, erasure, and objection.
    • Data Protection by Design/Default
      • New System Development Life Cycle Processes: We have developed organizational procedures for embedding appropriate privacy protective measures in applications, services, and/or products that are being newly developed or changed. The above measures support the protection of the data subject’s privacy and safeguard their personal data. These measures are implemented during the entire lifecycle of the processing of the personal data. Where applicable, we intend to ensure the most restrictive privacy settings are turned on by default.
      • Data Protection Impact Assessments (DPIA): We have developed robust procedures including assessment templates for carrying out data protection impact assessments that align with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity, and implement mitigating measures to reduce the risk posed to the data subject(s).
  • Legal Basis for Processing: We reviewed all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity to which it relates. We maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
  • Privacy Notice/Policy: As part of our commitment to privacy, to transparency, and in compliance with GDPR, we updated our Privacy Notices, ensuring that individuals whose personal data may be processed by Aptus Health (eg., users, clients, and employees) have even more clarity and transparency on how personal data is used, what their rights are, to whom the information is disclosed, and what safeguarding measures are in place to protect their information.
  • Obtaining Consent: In circumstances here we rely on individuals’ consent to process their personal data, we have assessed and updated our consent mechanisms where needed, ensuring that consent given by individuals meets the requirements of GDPR and are freely given, specific, informed, and unambiguous. We also developed strong opt-out mechanisms to ensure that individuals have a simple and easily accessible way to withdraw their consent at any time.
  • Direct Marketing: We assessed and reviewed processes related to Aptus Health’s direct marketing activities and, where required, strengthened opt-in mechanisms and related opt-out notices and methods.

HOW DO WE ENSURE THAT OUR VENDORS/PROCESSORS MEET THEIR GDPR OBLIGATIONS?

  • Processor (Vendor/Partner) Compliance Assessments - To ensure that third-party vendors and partners that we use to process personal information on our behalf (i.e., Hosting, Analytics, Payroll, Recruitment) meet and understand their GDPR obligations, we have implemented a Third- Party Vendor Compliance Assessment process. This process includes the evaluation of General Compliance, Privacy, Security, and
  • Special Categories Data – Aptus Health’s commercial activities do not involve the collection of special categories of personal data. If and when Aptus Health may need to collect and process special categories of personal data, Aptus Health will do so in compliance with the requirements of Article 9 of GDPR.
  • International data transfers – Aptus Health is a company that operates at a global level with suppliers, clients and subsidiaries outside of the European Economic Area (EEA). Aptus Health only transfers personal data or allows it to be processed by third parties outside of the EEA when the requirements of GDPR are met and when appropriate safeguards are in place to ensure an adequate level of protection. Aptus Health has entered into standard contractual clauses with its affiliates located outside the EEA. Aptus Health complies with the principles of the EU-U.S. Privacy Shield and the Swiss-US Privacy Shield Frameworks in relation to transfers to the US. Aptus Health also screens third parties’ suppliers and business partners and reviews, implements and documents safeguards before cross-border transfers on a systematic basis. Aptus Health has previously certified to the Safe Harbor and is in the process of certifying to the Privacy Shield.

DATA SUBJECT RIGHTS

Aptus Health has processes in place to ensure that individuals can enforce their data protection rights. These include the following rights to:

  • Access and rectification
  • Transparency and basic information
  • Data portability
  • Erasure
  • Restriction of processing
  • Withdraw consent
  • Object to processing

To ensure individuals can enforce their data protection rights, we provide them with detailed information on how to exercise their rights.

WHAT TECHNICAL AND ORGANIZATIONAL MEASURES ARE IN PLACE?

We have robust information security policies, procedures and controls (both organizational and technical) in place to protect personal information from unauthorized access, alteration, disclosure or destruction, and have implemented several layers of security measures based upon the assessed risk of the personal data to which we have been entrusted.

Some of these measures are highlighted below:

Organizational Controls:

  • Privacy and Information Security Program Framework
  • Policies and procedures, standards, and guidelines
  • Training and awareness activities
  • Third party compliance assessments
  • Processing Register, Data Inventory, and Asset Management
  • Data Protection by Design/Default (including Data Protection Impact Assessments and associated risk analysis)
  • Record Retention Controls

Technical and Physical Security Controls:

  • Data Classification/Handling
  • Encryption at rest, encryption in transit (SSL/SSH)
  • Anonymization and pseudonymization controls
  • Access, authentication, and authorization controls
  • Password controls
  • Laptop, removable media, and mobile device management controls
  • Anti-malware/anti-virus controls
  • Network, remote access, and wireless security controls
  • Physical security and desktop controls
  • System Configuration and Patch Management
  • Vulnerability Management/Penetration Testing
  • Privacy and Security Incident Management/Data Breach Handling
  • Disaster Recovery, Backup and Replication Controls
  • Logging and Monitoring Controls

GOVERNANCE

Governance Team

Aptus Health has appointed a GDPR Governance Committee with the primary responsibility of guiding the company in meeting all GDPR accountability requirements. This team, which includes senior management, is responsible for assisting Aptus Health in its role as a data controller and/or data processor, especially those associated with GDPR accountability requirements.

These accountability measures include, but are not limited to, activities such as:

  • Performing and documenting Privacy and Data Protection Impact Assessments, data processor reviews, internal and external audits, technical and organizational controls (policies and procedures), ongoing training and awareness activities
  • Implementing measures to meet the principles of data protection by design and by default;
  • Maintaining, updating, and documenting existing and new records of business process activities and other required records
  • Incorporating updated regulatory information and/or guidance into our existing GDPR compliance programs
  • Creating formal procedures to ensure that personal data breaches are addressed appropriately and in a timely manner
  • Appointing a Data Protection Officer (DPO)

DATA PROTECTION OFFICER (DPO)

We have designated Soline Gassmann as our Data Protection Officer (DPO) and have appointed a data privacy team that has developed and implemented our roadmap for compliance with the new data protection regulation.

If you have any questions about our preparation for the GDPR, please contact our Data Protection Officer (DPO) by emailing DPO@aptushealth.com.